German Bundestag: Posteo statement on privacy

Created on 13. March 2015, 16:15 | Category: Blog

Dear Posteo users,   

As of today you can find a statement from Posteo on the topic of “Privacy in the digital world” at bundestag.de. Our vice president of communications, Dean Ceulic, was a guest expert on the committee for the German parliament’s digital agenda. The topic of the discussion was “Startups, small to medium-sized businesses and privacy in the digital world”. In addition, we were asked to provide written replies to a list of questions that the various fractions prepared prior to the discussion. Our statement is now available on the Bundestag website (in German).  The discussion itself is available as a video at bundestag.de (in German).

An overview of the most important points for us

On German and European privacy standards:

We emphasised that strict German and European privacy regulations do not stand in the way of the economy. The opposite is true: European companies can use stricter privacy regulations to their advantage, protecting themselves (for example, from American competitors) using sophisticated privacy measures. Stricter privacy standards do not inhibit innovation; they actually constitute a competitive advantage for European companies. This view is shared by an overwhelming majority of the experts who took part in the discussion. #more#

We criticise the German government’s current plans to weaken the high German and European privacy standards:

“Germany’s high standards for privacy have become a relevant factor for a company’s location, and should not be given up lightly. The principles of data reduction and purposeful use strengthen consumers’ trust in German companies and help strengthen citizens’ fundamental right to informational self-determination.”

We therefore demanded that the law stipulates that personal information can only be processed if allowed by law and with the affected party’s consent.

On data preservation, we stated the following:  “Sensitive metadata such as IP addresses, for example, are currently under special protection in Germany. Connection and traffic data (such as IP addresses) must also be under special protection on a European level, as their evaluation enables compilation of extensive personality profiles. In particular, the retention of data should be opposed, as this severely impairs citizens’ fundamental rights according to several of the highest law courts.”   On data economy and purposeful use:   The German government will in future consider the principles of data reduction and purposeful use when handling data.

We engaged ourselves with maintaining both of these fundamental privacy principles, stating:

“When handling data, the principles of data reduction and purposeful use strengthen not only the citizens’ fundamental right to informational determination. Both factors also give companies a clear course of action and minimise uncertainties as to how they collect and process data – in particular also amongst one another.”

On the relationship between fundamental rights and security interests:

We emphasised that there is no conflict between objectives in security interests and the effective protection of citizens’ privacy. In a constitutional state, both poles should be in a far more balanced relationship with each other:

“To further strengthen democracy in the digital world, it is essential to restore a more balanced relationship between both poles. International, comprehensive surveillance activities by intelligence agencies can only be countered with measures for encryption, data economy and anonymisation. This is in the interest of citizens – as well as in the interest of companies and authorities.”   

Best regards,

The Posteo team

New: Anonymous payment system extended

Created on 06. January 2015, 18:00 | Category: Info

Dear Posteo users,   

Today our payment process has been superseded by our new, extended single-use code system for anonymised payments. Until now, our code-based payment system was used exclusively to separate payment data from the email accounts. From now on, the single-use codes also contain an encoded country determination, such that we can continue to maintain our concept of data economy despite new legal requirements.#more#

On January 1st, the so-called “Kroatiengesetz” came into effect. This law is the German implementation of an EU regulation. It specifies that for electronic services, value added tax must be paid in the country in which the user lives. Previously, the service provider’s headquarters determined the tax location. From January 1st we are therefore required for each payment process to determine which country each payment comes to us from, using multiple measures. This can be done, for example, with the help of a Geo-IP determination or an evaluation of the payment information. The lawmakers require at least two attributes to be ascertained, which do not differ. Fulfilling these new legal requirements was a challenge for us as we don’t save any of your personal information and wish to continue not to do so.

We have therefore extended our anonymous payment process for the event of the new law coming into effect, in order to maintain our consistent concept of data economy. We are now required to conduct a legally-specified country determination. Its result is encoded in a part of our payment codes that only you receive, when you now start a payment process. This part of the code contains the result of a Geo-IP determination and a browser region determination (your IP address is not saved). The part of the code that is in our system is somewhat shorter and does not contain this sensitive information. The encoded part is “outsourced” to you until the payment is completed. This is important, because otherwise we would have personal data connected to your account in our system until completion of the payment, which is something we don’t want.

You provide us with the complete code, and thereby also the result of the country determination, in the purpose/description field of your payment. When a payment arrives at Posteo via bank transfer or in the post, our payment system automatically evaluates the code and can then allocate the payment to your account. The encoded country determination in the last three characters is also automatically evaluated, to determine the value added tax payable in the relevant EU country. The result is not connected with your account. The evaluation process only takes a fraction of a second. When the code is evaluated, credit is added to your account and the single-use code is deleted from the system. Thus it is no longer possible to tell which account you have transferred funds for. Nor is it possible to tell which country the user of an account lives in.

PayPal and credit card payments occur directly after starting a payment process. The use of a code system is therefore unnecessary here. Information on the country determination is also immediately evaluated and does not need to be temporarily saved. Neither the PayPal or credit card payment nor the country determination collected is connected with the email account.

We understand the lawmakers’ intention to block tax loopholes with the new law. It is, however, problematic that companies who want to operate with data reduction can become required to collect and save users’ personal information via this EU regulation. Providers generally do not have complicated code-based systems allowing data reduction available to them – plainly, they must then retrieve and save the information. This is how mounds of data pile up. In addition, a bank account is very secure against manipulation. We doubt whether additional measures such as geolocation would markedly increase reliability.

Further information on Posteo’s anonymous payment system can be found on the payment info page that we have set up.

Kind regards and all the best in the new year,

The Posteo team

New two-factor authentication available

Created on 12. November 2014, 14:45 | Category: Info

Dear Posteo users,

We have news: You now have the possibility to enable two-factor authentication for additional security of access to your Posteo account (in the browser).
#more#
The technology is comparable with multilevel security processes in the banking industry. At an ATM, you can only withdraw cash if you know something (your PIN) and possess something (your ATM card). With two-factor authentication, the situation is similar. In order to log in, you need something that you know (your Posteo password) as well as something that you possess (e.g. your mobile phone). The Posteo login process only changes slightly with the additional security: After entering your username and password, you will in addition be asked for a current one-time password. The current one-time password will be shown to you on a device (e.g. a mobile phone, tablet or desktop) on which you have activated two-factor authentication.

If criminals or intelligence agencies obtain your access information (username and password), they will have no way to access your account via the webmail interface and, for example, to manipulate your account and security settings. The conventional access details are no longer sufficient for the login process.

We have set up two-factor authentication to be as simple and secure as possible. With Posteo, two-factor authentication technology can be used not only with free apps for all current platforms, but also with special hardware (such as a Yubikey). All users who only access Posteo in the browser (i.e. webmail) can distinctly increase the overall security of their emails and account by enabling two-factor authentication. If you specify in the settings that you use webmail only, access will be blocked for local email programs. This eliminates the possibility of attacks, which don’t happen via the browser but rather via external programs (by IMAP and POP3).

Setting up two-factor authentication is simple. It is also recommended for users without technical knowledge. The technology is based on the open TOTP standard. There are no additional costs – the new function is provided at no extra charge. You can find out how to activate two-factor authentication in our help section.

Two-factor authentication significantly increases the security of webmail access. Our development team is currently also working on a solution that will also increase security of access via local email programs using a multilevel security process. We hope we can also make this solution available to you soon.

Best regards,

The Posteo team

Email encryption in your browser with Mailvelope

Created on 10. October 2014, 18:47 | Category: Blog

Dear Posteo users,

A few days ago, a new version of the encryption add-on Mailvelope (available for Firefox and Chrome) was released. The new version is preconfigured to work with Posteo.
#more#
Using the add-on, it is now possible to easily encrypt the content of emails using OpenPGP within the Posteo webmail interface. You can also sign your emails, but attachments can not be encrypted using the add-on. Mailvelope is especially interesting for all who prefer to use the Posteo webmail interface and who would like to secure their emails with end-to-end encryption. Mailvelope is open source: The program code for the add-on is visible and based on open standards.

In the Posteo help section “Webmail”, you can find instructions on how to install the add-on in Firefox or Chrome and how encryption using Mailvelope works. Other browsers such as Safari or Internet Explorer do not yet support Mailvelope. If you encounter problems using Mailvelope or have questions about the add-on, please contact Mailvelope support.

Best regards,

The Posteo team

New webmail interface available

Created on 23. September 2014, 18:53 | Category: Blog

Dear Posteo users,

We have some important information for you: From today, the new standard
design of our webmail interface is available.
#more#
You can now activate the new design in the settings of your account via
“Einstellungen” → “Benutzeroberfläche” → “Oberflächendesign” (or “Settings”
→ “User Interface” → “Interface Skin”, if your interface is set to English).
If you would like to use the design, simply choose “Standard” and confirm by
clicking “Save”.

During the last few months, our team has been working on the appearance of the
user interface. The webmail site is now more appealing, and easier to use. We
will continue to support the old design until early 2015. We recommend
switching to the new design now.

We will soon make additional versions of the new standard design available to
choose from. Other parts of the website – for example, the help section – will
be progressively updated to match the new design.

As part of the design update, some technological improvements have been made
in the background. These lay the foundation for various new features, such as
Posteo email account encryption, which we will be introducing this autumn.

Best regards,

The Posteo team